__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Red Hat Elevated Privileges Vulnerability [Red Hat Security Advisory RHSA-2004:017-06] January 16, 2004 21:00 GMT Number O-063 ______________________________________________________________________________ PROBLEM: Red Hat has released their first kernal update for Enterprise Linux 3. Along with many bug fixes and driver updates, also included is a security fix for the eflags checking in the 32-bit ptrace emulation. PLATFORM: Enterprise Linux AS (v.3) Enterprise Linux ES (v.3) Enterprise Linux WS (v.3) DAMAGE: A local user could gain elevated privileges. SOLUTION: Install the upgraded kernal packages. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. A local user could gain elevated ASSESSMENT: privileges. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/o-063shtml ORIGINAL BULLETIN: https://rhn.redhat.com/errata/RHSA-2004-017.html CVE/CAN: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CAN-2004-0001 ______________________________________________________________________________ [***** Start Red Hat Security Advisory RHSA-2004:017-06 *****] Updated kernel packages available for Red Hat Enterprise Linux 3 Update 1 Advisory: RHSA-2004:017-06 Last updated on: 2004-01-16 Affected Products: Red Hat Enterprise Linux AS (v. 3) Red Hat Enterprise Linux ES (v. 3) Red Hat Enterprise Linux WS (v. 3) CVEs (cve.mitre.org): CAN-2004-0001 Security Advisory Details: Updated kernel packages are now available as part of ongoing support and maintenance of Red Hat Enterprise Linux version 3. This is the first regular update. The Linux kernel handles the basic functions of the operating system. This is the first regular kernel update for Red Hat Enterprise Linux version 3. It contains a new critical security fix, many other bug fixes, several device driver updates, and numerous performance and scalability enhancements. On AMD64 systems, a fix was made to the eflags checking in 32-bit ptrace emulation that could have allowed local users to elevate their privileges. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0001 to this issue. Other bug fixes were made in the following kernel areas: VM, NPTL, IPC, kernel timer, ext3, NFS, netdump, SCSI, ACPI, several device drivers, and machine-dependent support for the x86_64, ppc64, and s390 architectures. The VM subsystem was improved to better handle extreme loads and resource contention (such as might occur during heavy database application usage). This has resulted in a significantly reduced possibility of hangs, OOM kills, and low-mem exhaustion. Several NPTL fixes were made to resolve POSIX compliance issues concerning process IDs and thread IDs. A section in the Release Notes elaborates on a related issue with file record locking in multi-threaded applications. AMD64 kernels are now configured with NUMA support, S390 kernels now have CONFIG_BLK_STATS enabled, and DMA capability was restored in the IA64 agpgart driver. The following drivers have been upgraded to new versions: cmpci ------ 6.36 e100 ------- 2.3.30-k1 e1000 ------ 5.2.20-k1 ips -------- 6.10.52 megaraid --- v1.18k megaraid2 -- v2.00.9 All Red Hat Enterprise Linux 3 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum. Updated packages: Red Hat Enterprise Linux AS (v. 3) ----------------------------------------------------------------------------- SRPMS: kernel-2.4.21-9.EL.src.rpm b1d43ee719f7512ddfb5360ed014f4ea athlon: kernel-2.4.21-9.EL.athlon.rpm ed1284363a046a45ae4f59fbe43def3f kernel-smp-2.4.21-9.EL.athlon.rpm bef88e6becebe943da7a21ff4dad573e kernel-smp-unsupported-2.4.21-9.EL.athlon.rpm d75b6a19ff691700e82db24d5c6c8b45 kernel-unsupported-2.4.21-9.EL.athlon.rpm b39a4c74e306ab4a27e2d7c60df4b513 i386: kernel-BOOT-2.4.21-9.EL.i386.rpm 2610d07611dfaaee6444652d60596d0d kernel-doc-2.4.21-9.EL.i386.rpm 41b9ebb072afd6bbc3356be10092ee46 kernel-source-2.4.21-9.EL.i386.rpm 192bfcd25513a10952f254603a3a6090 i686: kernel-2.4.21-9.EL.i686.rpm 1e1a24752b11880546efd627c8abbb8a kernel-hugemem-2.4.21-9.EL.i686.rpm 2907aa21140a30e9d87ed8342e63f505 kernel-hugemem-unsupported-2.4.21-9.EL.i686.rpm 42f75c4cb9bc17b53e9395150cec8539 kernel-smp-2.4.21-9.EL.i686.rpm 0dc01fea313a1ca9719a3ea7c902d3c4 kernel-smp-unsupported-2.4.21-9.EL.i686.rpm bc0fa995c1a52556efc20317a4e5857e kernel-unsupported-2.4.21-9.EL.i686.rpm d121f00a23f84363525d02280a1d83dd ia64: kernel-2.4.21-9.EL.ia64.rpm 71e5578a555a6e4a7deae66184399086 kernel-doc-2.4.21-9.EL.ia64.rpm d11e463e882858c19023c2273b6c27e7 kernel-source-2.4.21-9.EL.ia64.rpm 28204f3695d2ea110cb1c4df5a9aaf5c kernel-unsupported-2.4.21-9.EL.ia64.rpm 8dd3ed0c9c950ead287cacc4a399e0db ppc64: kernel-doc-2.4.21-9.EL.ppc64.rpm ab39bdba7937b5d215521d58cf6dab6b kernel-source-2.4.21-9.EL.ppc64.rpm afe9ee1c67c9e710fcd8dad96a7f6c0b ppc64iseries: kernel-2.4.21-9.EL.ppc64iseries.rpm 559e6c511b44843cd67fffe4151625e8 kernel-unsupported-2.4.21-9.EL.ppc64iseries.rpm f5c86ceb2bf8cc902437403a9ceb6515 ppc64pseries: kernel-2.4.21-9.EL.ppc64pseries.rpm 7425c1fcef4aba84a7b3e5d81ec547b7 kernel-unsupported-2.4.21-9.EL.ppc64pseries.rpm 5c6ba7b45d60e7edfbf9ba1fd0d58dfe s390: kernel-2.4.21-9.EL.s390.rpm 1e3980726df913881babe4868b200295 kernel-doc-2.4.21-9.EL.s390.rpm 4f272598aae91bb680b0b9cfd0bb9fed kernel-source-2.4.21-9.EL.s390.rpm 184574a77f3befec4871ec599813b59b kernel-unsupported-2.4.21-9.EL.s390.rpm 1756eece0f2ff7d0f260fccd543f228a s390x: kernel-2.4.21-9.EL.s390x.rpm a2237d0079a46ce9c991a1e8466df7df kernel-doc-2.4.21-9.EL.s390x.rpm ca6a94fe2a7f1ef6f8b9ba2236ecd768 kernel-source-2.4.21-9.EL.s390x.rpm 26c7c5f301ea304d5dda792a1ef42048 kernel-unsupported-2.4.21-9.EL.s390x.rpm 367ba45f9fdec1dd9f8ecf5a026b8035 x86_64: kernel-2.4.21-9.EL.x86_64.rpm fc41216af0df50ece83512e746798343 kernel-doc-2.4.21-9.EL.x86_64.rpm 69b978b11ed7ae43648c871248975572 kernel-smp-2.4.21-9.EL.x86_64.rpm 0d7965414e8e459396c0704bcc1dc293 kernel-smp-unsupported-2.4.21-9.EL.x86_64.rpm 0a2706f21232e1b00b42d22356367000 kernel-source-2.4.21-9.EL.x86_64.rpm 3eb47aaf742c6cad2f7beda7e163a92e kernel-unsupported-2.4.21-9.EL.x86_64.rpm d8c63d0935ff8b97e5531552399b3cf1 Red Hat Enterprise Linux ES (v. 3) -------------------------------------------------------------------------------- SRPMS: kernel-2.4.21-9.EL.src.rpm b1d43ee719f7512ddfb5360ed014f4ea athlon: kernel-2.4.21-9.EL.athlon.rpm ed1284363a046a45ae4f59fbe43def3f kernel-smp-2.4.21-9.EL.athlon.rpm bef88e6becebe943da7a21ff4dad573e kernel-smp-unsupported-2.4.21-9.EL.athlon.rpm d75b6a19ff691700e82db24d5c6c8b45 kernel-unsupported-2.4.21-9.EL.athlon.rpm b39a4c74e306ab4a27e2d7c60df4b513 i386: kernel-BOOT-2.4.21-9.EL.i386.rpm 2610d07611dfaaee6444652d60596d0d kernel-doc-2.4.21-9.EL.i386.rpm 41b9ebb072afd6bbc3356be10092ee46 kernel-source-2.4.21-9.EL.i386.rpm 192bfcd25513a10952f254603a3a6090 i686: kernel-2.4.21-9.EL.i686.rpm 1e1a24752b11880546efd627c8abbb8a kernel-hugemem-2.4.21-9.EL.i686.rpm 2907aa21140a30e9d87ed8342e63f505 kernel-hugemem-unsupported-2.4.21-9.EL.i686.rpm 42f75c4cb9bc17b53e9395150cec8539 kernel-smp-2.4.21-9.EL.i686.rpm 0dc01fea313a1ca9719a3ea7c902d3c4 kernel-smp-unsupported-2.4.21-9.EL.i686.rpm bc0fa995c1a52556efc20317a4e5857e kernel-unsupported-2.4.21-9.EL.i686.rpm d121f00a23f84363525d02280a1d83dd Red Hat Enterprise Linux WS (v. 3) -------------------------------------------------------------------------------- SRPMS: kernel-2.4.21-9.EL.src.rpm b1d43ee719f7512ddfb5360ed014f4ea athlon: kernel-2.4.21-9.EL.athlon.rpm ed1284363a046a45ae4f59fbe43def3f kernel-smp-2.4.21-9.EL.athlon.rpm bef88e6becebe943da7a21ff4dad573e kernel-smp-unsupported-2.4.21-9.EL.athlon.rpm d75b6a19ff691700e82db24d5c6c8b45 kernel-unsupported-2.4.21-9.EL.athlon.rpm b39a4c74e306ab4a27e2d7c60df4b513 i386: kernel-BOOT-2.4.21-9.EL.i386.rpm 2610d07611dfaaee6444652d60596d0d kernel-doc-2.4.21-9.EL.i386.rpm 41b9ebb072afd6bbc3356be10092ee46 kernel-source-2.4.21-9.EL.i386.rpm 192bfcd25513a10952f254603a3a6090 i686: kernel-2.4.21-9.EL.i686.rpm 1e1a24752b11880546efd627c8abbb8a kernel-hugemem-2.4.21-9.EL.i686.rpm 2907aa21140a30e9d87ed8342e63f505 kernel-hugemem-unsupported-2.4.21-9.EL.i686.rpm 42f75c4cb9bc17b53e9395150cec8539 kernel-smp-2.4.21-9.EL.i686.rpm 0dc01fea313a1ca9719a3ea7c902d3c4 kernel-smp-unsupported-2.4.21-9.EL.i686.rpm bc0fa995c1a52556efc20317a4e5857e kernel-unsupported-2.4.21-9.EL.i686.rpm d121f00a23f84363525d02280a1d83dd ia64: kernel-2.4.21-9.EL.ia64.rpm 71e5578a555a6e4a7deae66184399086 kernel-doc-2.4.21-9.EL.ia64.rpm d11e463e882858c19023c2273b6c27e7 kernel-source-2.4.21-9.EL.ia64.rpm 28204f3695d2ea110cb1c4df5a9aaf5c kernel-unsupported-2.4.21-9.EL.ia64.rpm 8dd3ed0c9c950ead287cacc4a399e0db x86_64: kernel-2.4.21-9.EL.x86_64.rpm fc41216af0df50ece83512e746798343 kernel-doc-2.4.21-9.EL.x86_64.rpm 69b978b11ed7ae43648c871248975572 kernel-smp-2.4.21-9.EL.x86_64.rpm 0d7965414e8e459396c0704bcc1dc293 kernel-smp-unsupported-2.4.21-9.EL.x86_64.rpm 0a2706f21232e1b00b42d22356367000 kernel-source-2.4.21-9.EL.x86_64.rpm 3eb47aaf742c6cad2f7beda7e163a92e kernel-unsupported-2.4.21-9.EL.x86_64.rpm d8c63d0935ff8b97e5531552399b3cf1 (The unlinked packages above are only available from the Red Hat Network) Solution Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via Red Hat Network. Many people find this an easier way to apply updates. To use Red Hat Network, launch the Red Hat Update Agent with the following command: up2date This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. If up2date fails to connect to Red Hat Network due to SSL Certificate Errors, you need to install a version of the up2date client with an updated certificate. The latest version of up2date is available from the Red Hat FTP site and may also be downloaded directly from the RHN website: https://rhn.redhat.com/help/latest-up2date.pxt Bugs fixed: (see bugzilla for more information) 101938 - C write fails for records gt 2 GB 102258 - [ibmsis] LTC3905 - RHEL_3 scsi midlayer hang 102400 - LTC3932 - kill10 hangs with RHEL 3 kernel 102535 - hang in ptrace for gdb traceback 103245 - LTC4138 - Vmstat not printing irqs/second 103304 - x86_64 oprofile.o driver misidentifies processor 103491 - NPTL-related invalid uses of thread ID 103671 - More informative memory error reporting on AMD64 104116 - [x86_64] Crash/CPU lockup running lmbench 104172 - GCC testsuite crashing .421 and .411 kernels 104260 - LTC4351 - kernel panic after rmmod'ing and then insmod'ing the olympic token ring module. 104313 - LTC4357 - viocons making > 4k writes 104338 - missing critical HP agp related patches 104520 - SMP Kernel hang on shutdown with Intel SRCZCR Raid Controller 104651 - RHEL 3 U1: Ability to blacklist what LUNS/scsi devices so kernel doesn't send start-unit commands in the event the LUN is identified as "not ready". 104730 - aic7xxx causes PCI PARITY ERROR on PE4600 104913 - LTC4532 - Signal handlers run with unaligned stack 105717 - ibm_opteron - Pid: 1, comm: swapper Not tainted 105749 - LTC4613 - machines fail to respond to reset 105890 - New Feature for AS 2.1 Update 3 - IA64 reqmt: tsc disable patch 105953 - dmidecode generates unaligned access errors 105989 - LTC4623 - install / as LVM throws python exception 106004 - Broadcom tg3 driver duplex won't set 106209 - Unblock device after queue full status 106214 - "reset erp" gone missing in 2.4.21-2.E 106396 - Hardware crypto support 106399 - SCSI I/O stall problem 106450 - Requesting updated acenic.o driver 106502 - Base driver button not loaded 106579 - LTC4821 - hwbrowser displays incorrect floppy capacity 106626 - Incorporate ESB PATA support 106648 - lcs updates from "the 38" 106651 - Export noop elevator 106785 - amd64 has siginificant bug in 32 bit emulation 106794 - LTC4829-RHEL 3 HANGS under heavy stress load 106944 - fcntl() returns tid rather than pid 107942 - thread code indeed freezes the kernel 107960 - No disk/partition statistics in /proc/partitions 108432 - Exiting program using multicast addr locks up a CPU after restart of network 108488 - Millisecond timer resolution on ia64 108492 - Possible security issue in the ia32 subsystem 108648 - No AGP support on Tyan 2885 K8W 110558 - [ ia64 ] Install disc panics on boot on some systems 110895 - running processes are not listed in /proc, with ps or top 111388 - [Patch] LTC5474 - CSP corrupted on P690 after update_flash of new firmware in LPAR 111446 - hang in RHEL 3 pthreads library 112365 - Kernel Panic when running pulse deamon 113106 - CAN-2004-0001 ptrace hole in x86-64 71514 - Infinite recursion in SCSI mid layer 77839 - Assert failure in transaction.c:1224: "!jh->b_committed_data 85974 - IDE tape generates errors when execute mt command 90204 - Downgrade assert failure at revoke.c:329 to a warning 90207 - RHEL AS2.1 IPF: Linux scheduler interaction - threads all running on one processor 97065 - Updated cciss driver does not clean up properly after load failiure 98132 - (NET E1000) Taroon Alpha4 e1000 driver does not detect currently being tested NIC/LOM\'s 99251 - aic7xxx/79xx causes PCI PARITY ERROR on PE4600 References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0001 Keywords: kernel, taroon, update -------------------------------------------------------------------------------- The listed packages are GPG signed by Red Hat, Inc. for security. Our key is available at: http://www.redhat.com/solutions/security/news/publickey/#key You can verify each package and see who signed it with the following command: rpm --checksig -v filename If you only wish to verify that each package has not been corrupted or tampered with, examine only the md5sum with the following command: md5sum filename The Red Hat security contact is security@redhat.com. More contact details at http://www.redhat.com/solutions/security/news/contact.html Copyright © 2002 Red Hat, Inc. All rights reserved. [***** End Red Hat Security Advisory RHSA-2004:017-06 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Red Hat for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) O-053: Microsoft Buffer Overrun in MDAC Function Could Allow Code Execution O-054: Red Hat Updated kdepim Packages Resolve Security Vulnerability O-055: Red Hat Updated elm Packages Fix Vulnerability in frm Command O-056: Hewlett-Packard dtterm Vulnerability O-057: Hewlett-Packard libDtSvc Vulnerability O-058: Hewlett-Packard SharedX Vulnerability O-059: Debian Linux-Kernel-2.4.14-ia64 Vulnerabilities O-060: Debian Password Expiration Vulnerability O-061: Red Hat Updated tcpdump Packages Fix Various Vulnerabilities O-062: CERT Advisory Multiple H.323 Message Vulnerabilities